|
|
|
|
|
|
by kevlened
793 days ago
|
|
|
In an ideal world, the private key should be stored in an HSM, preventing exfiltration. However, even assuming an HSM, the current scheme doesn't protect against malicious actors pre-signing requests on the client and exfiltrating those requests. This library adds more defense-in-depth, making it harder to attack sessions, but not impossible. |
|
|